Attack (Attack ID:301906)

Release Date03/21/2012

Attack NameDetected Worm CodeRed

Severity

BUG ID

CVE ID

 

Description

Microsoft Internet Information Server (IIS) versions 4.0, 5.0, and 6.0 beta are vulnerable to a buffer overflow in the handling of ISAPI (Internet Services Application Programming Interface) extensions. This vulnerability is exploitable using the 'Code Red' and 'Code Red II' worm. The 'Code Red' worm is a self-propagating worm that scans random IP addresses on port 80 searching for vulnerable Web servers. Once a vulnerable Web server is found, the worm performs malicious activity before propagating to other vulnerable hosts. The 'Code Red II' worm does not deface Web sites, as the original version of the worm did, but it carries a more serious threat -- it contains a Trojan Horse payload, which could allow any remote attacker to further compromise infected systems. The 'Code Red II' worm also has the ability to scan for vulnerable hosts much faster than previous versions, which has already been reported to cause failures in certain network components by overloading them with network traffic.

 

Solution

MS01-033:Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise
http://www.microsoft.com/technet/security/bulletin/MS01-033.asp

Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30833

Windows 2000 Professional, Server and Advanced Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30800